Before updating the ‘rvas[]’ array and incrementing the icon’s counter there is a check. It checks that the current counter’s value isn’t greater than 100 which is the number of values that ‘rvas[]’ array can hold. However, it doesn’t check for values equal to 100 meaning that a malicious user could provide a specially crafted icon to write an ‘uint32_t’ integer beyond buffer’s bounds.
To fix this, the patch was: